Quietly and over some objections, a national digital vaccine card has emerged

Whether they realize it or not, about 200 million people in the United States now likely have access to a Covid-19 digital vaccine card.

The fact that the system exists in any form is a triumph for a loose coalition of technologists, nonprofit groups and mostly Democratic states that championed the development of a digital vaccine card even before the first coronavirus shots were administered. [...]

In California alone, 7 million individuals have downloaded their QR code, and he estimated that about 80 percent of the vaccinated U.S. population of 247 million people have access to a SMART Health Card if they want one through either their state health authority or the site where they were vaccinated, such as a pharmacy or a hospital. [...]

But people involved in the project said it may have gone more smoothly if President Joe Biden had agreed to coordinate it. [...] Anderson said other countries haven't always known whom to speak with in the U.S. to plan cross-border systems. "They're turning to the states, they're turning to VCI, and it's a challenge for a state to conduct foreign diplomacy," he said.

Oh hey that's me:

"We won't be safe until venues are able to require SMART Health QR codes and stop accepting paper cards, or photos of cards. And that won't happen until state or local governments mandate that," said Jamie Zawinski, a software developer who also owns a night club, DNA Lounge, in San Francisco. He requires customers to have the QR code or, for now, their paper CDC card.

DNA Lounge not only requires people to display the QR code, but it also scans the code using a smartphone app to verify that the codes are authentic -- making the club one of the few businesses anywhere in the U.S. to take that extra step.

The primary scanning app available, the SMART Health Card Verifier App, has been used about 750,000 times this month, and the trend line indicates usage is doubling month over month, Anderson said.

So... those 200,000,000 people with access to QR codes have scanned them 24,000 times per day. That's 0.012%. That's not a lot.

I mean, in the last 30 days, DNA Lounge alone accounted for around 0.23% of the total number of scans nationally. That's like 1 in 440.

Previously, previously, previously, previously, previously, previously.

Tags: , , , , ,

68 Responses:

  1. ducksauz says:

    I'm not going out that much, but the handful of times I have displayed my QR code to any host/bartender/server, none of them has scanned it. DNA Lounge is the only place I've heard of that is doing it. I wish everyone was.

  2. Amy says:

    Here in Colorado, the myColorado app can be used to store both SMART QR codes and digital vaccine card images. It's kept up with the fact that I got my Moderna shots at Denver Health Lowry Clinic but got my booster at Walgreens. (The Apple Wallet version doesn't get that. Should that be updated over time?)

    It also stores a digital image of your driver's license, so it's good for other things.

    I don't know any place that's actually scanning QR codes, though, not even the bars that require vax to enter.

    • jwz says:

      When you get a new shot, you need to download a new QR code. All the data is self-contained inside the code, the verification app does not contact the network for your info.

      • Amy says:

        Yeah, that worked. I just had to go into the Wallet and the Health app and delete the old record (with only the 2 shots in it) after I got the new one (with all 3). A minor inconvenience; you'd think Apple would know to just overwrite the old information with the update.

    • jon says:

      I've chatted with the security staff at a few Denver venues. There are definitely groups of immunocompromised (and Just Don't Want Fucking COVID) patrons who've been trying to get people to attend nights where they check cards. Unfortunately, that was around for a few weeks then stopped.

      FFS, you have to show your ID to get in - showing 1 more thing shouldn't be rocket science.

      I've been (thankyou jwz) aware of the SMART free apps. It's an uphill battle for which the IT infrastructure isn't there, apparently society can only be reactive not proactive. I'll still be yelling at my district councilmember about it though.

    • ContextSans says:

      Yes, if you go back to the SMART website and re-download the card to your wallet, it’ll update. I was also disappointed that it didn’t do that automagically.

  3. Miguel says:

    I worry about tracking. I don't really want some startup having a database of everytime I went to the bar.

    • jwz says:

      Whereas I don't want to die. Yeah, those seem about the same.

      • Miguel says:

        I remember you fought against SFPD video surveillance at DNA Lounge. The bouncer scanner apps are the same thing except with some VCs profiting as intermediaries.

        • Ingvar says:

          Er? What now?

          In one case, you have a governmental organisation requesting video surveillance of a specific location.

          In the other case, you have a business verifying that customers consenting to the scan have been properly vaccinated (they may or may not then keep a record of said verification).

          These are very, very, different things. Both potentially infringe your privacy, but for one of them you are DEFINITELY aware that it is happening and can opt out of attending the venue up until the point the scan is done.

        • tfb says:

          Except that in one case there is the whole 'dying or killing a bunch of other people' thing and on the other there isn't.

          If you think these are the same thing there is something wrong with your mind.

    • Grey Hodge says:

      So I assume when you go to bars you never take your phone (GPS or cell tower tracking), and never pay with a card, only cash. You never post about it on twitter or Facebook, never Google directions or the hours of a bar, etc.


      • Miguel says:

        Jeez when you put it that way makes me not want to ever go out again.

        • Grey Hodge says:

          I'm just trying to show that the idea that "some organization might track me" was something we should have worried about in the 80s when electronic credit scores became a thing. If you carry a cell phone and use credit cards, you don't have to worry about some startup tracking you because a dozen huge corporations are already doing it, and you help when when you post online.

          Those loyalty cards? Those are a FIREHOSE of trackable data. I don't use them except my Kroger card because none of them offer me benefits worth the hassle of a thousand cards in my wallet. Do I care that Kroger knows when I buy paper towels? No. They could publish it in their employee newsletter for all I care. Today I went over to Lowes and bought some aluminum angle for a project. Google knows I searched for it, and clicked to Lowes to see what they had. I couldn't care less.

          But more usefully, think about the fact that, in reality, you are most likely (and I CERTAINLY am) an insignificant cog in the world, not WORTH tracking beyond your data aggregated with others to figure out how to sell you crap. Beyond that, no one you don't know cares when you go to the bar. It's a silly thing to worry about. There's no need to help them, but there's no point in worrying about it either.

          Go get vaccinated, don't worry about who knows. No one cares.

          • MattyJ says:

            Cell phone companies themselves sell your data to whoever wants it before you even launch an app.

            Add to this 'ever driven through a tollbooth', 'ever crossed a bridge', 'ever purchased an antihistamine', 'even gotten a speeding ticket', 'ever registered to vote'.

            I could go on.

            'Ever joined Costco', 'ever used a gift card', 'ever joined a gym', 'ever rented a car', 'ever given birth', 'ever had been birthed', 'ever purchased real estate', 'ever paid rent not in cash'.

            I could go on ...

            • Jon says:

              > 'ever had been birthed'

              Boy, it sure would be embarrassing if the truth ever came out about that. Hope nobody finds out....

    • Erin M. says:

      I'm fine with it all IF I can have access to the source code to see exactly what it does. Otherwise, I'll stick with my paper.

      • jwz says:

        Allowing you to "stick with your paper" means the system has no security of any kind at all, and is wide open for abuse by antivaxxer lunatics who are going to kill us all.

        So I am going to do everything I can to make it so that you do not have the option of sticking with your paper.

        Get some FUCKING PRIORITIES.

        • jwz says:

          The source code IS open, you complete jackass.

          • Erin M. says:

            Well, I'll take the high ground here:

            I was not aware of that; perhaps I should have been. However, stooping the level of calling me a "complete jackass" is inappropriate and childish. You should get your emotions under control. My respect for you is waning at this moment.

            • jwz says:

              You know why I'm emotional? Because you are a dangerous idiot. And there are a lot of people like you out there actively trying to get me and my friends killed.

              Fuck you very much.

              • Erin M. says:

                No Jamie, I am not. And you also don't know me or anything about me.

                Fuck you too.

        • Nik says:

          Disregarding the wider hell on earth, I would buy t-shirts with that final statement overlaid the DNA logo front and back.

          I'm shying further and further away from the shitshoe my UK compatriots seem to be proudly slopping around in - so from afar and for what internet words are worth I applaud your lives-over-profits stance.

        • tfb says:

          Please do make a t shirt as the other comment says. I'd buy one even across the atlantic.

      • the hatter says:

        Sure, you can see the source code. I'll give you a printout.

    • ContextSans says:

      I have bad news for you about Square and Stripe.

  4. max says:

    I have access to one, apparently because my hospital uses Epic for medical records. Searching indicates that is going to account for an awful lot of that potential coverage (used by hospitals serving ~half of the US population).

  5. Dude says:

    I mentioned on Violet's latest Round-Up that I went to the SF Zoo this past Saturday, thinking that 11am on a weekend during a pandemic would have light crowds for my 41st birthday jaunt. Nope - the crowds were heavy, and although you needed a mask to get in (not all of which were like the KN95 I wore), the guards did the "glance-and-hand-wave" vax-check for people who (not all) took off their masks once in the zoo proper.

    That was despite signs everywhere specifically asking guests to keep their masks on because we stupid humans give animals COVID, too. I actually almost went to DNA for Capricorn that night, but wound up going home. At least I know that at the Lounge I wouldn't have been on edge the whole time.

    Everyone should get the QR code and the SMART Verifier app, which is also free and available to everyone. I have both, so I know there's no reason for venues not to use them.

  6. Jim says:

    I got my primary series in MA at a mass vax site, but
    my booster in another state at a Walgreens.

    I downloaded the two qr codes to my wallet, but there’s no way I can see to merge these - the MA website says to have the other provider submit it to them, Walgreens obviously had absolutely no idea what I was talking about when I called them.

    You’re not going to solve that, but as the one who’s seemingly pioneering what venues could / should be doing - am I going to get rejected, glared / sighed at / etc, for having the two codes?

    • jwz says:

      If both codes have your name on them, I don't see why it would be a problem.

      The various vaccinators have also gotten better at uploading their data to the state databases, as time has gone on. I've heard anecdotes from people who got vaccinated at some-weird-spot and couldn't get their QR code; and then a couple of months later, it worked.

    • dshea says:

      Your PCP may be able to merge the data, if they’re on a system that uses Epic or Cerner and probably some others. I got my first shot out of state at a pharmacy that won’t give me a QR code, but I sent my doctor all the info and now I have a code with first round plus booster issued from my provider’s mychart.

  7. Carlos says:

    I'm in another country and so DNA's policies aren't likely to affect me - but I'd like to express my gratitude to jwz about this anyway.

    There are way, way too many people in positions of authority who are refusing to do even the obvious, huge benefit-to-cost ratio things simply because they don't want to draw the attention of the anti-vax, anti-mask, anti-science idiot brigade.

    jwz has the guts to put the courage of his convictions ahead of "but I don't want to argue with potential customers", and that should be applauded.


  8. Eric says:

    I'm not opposed to the idea of a vaccine passport at all, but after jumping through hoops to sign up for Clear only to find it deleted my data a few days later I was pissed and deleted the app.

    Am I crazy for expecting this shit to actually work? My bar for email is lower than this. Email. Fucking EMAIL.

    • jwz says:

      Fuck Clear. They're basically war profiteers. The started out as a tick that had embedded itself inside that sweet, sweet TSA underbelly, but charging businesses for the pleasure of checking customers' vax status is a new low.

  9. Ben says:

    I recently lived in Cyprus, where they made it so that you have to show the vaccine passport to get in basically any store larger than a convenience store, or eat in at a restaurant even if it's small. There were some concerns about people having other people's health data, so the rule is that you can scan the barcode with a phone but it's supposed to be owned by the company rather than employee's personal phones. The wallet app and scan app are made by the government, but the QR code itself is EU-standard. Most places actually scan, higher throughput places like large grocery stores tend to have a barcode scanner gun that is much faster than a 70 year old trying to get a phone to focus.

    I'm currently in Greece where it's not required in stores but it is in restaurants, and in maybe a quarter of the checks they've also asked for ID to check the name on the phone to a face. If this ends up being a long term Europe-wide thing it would be better if there was some way to get a verified photo into the app with the QR code; in Cyprus I don't usually carry ID on me, just phone and keys.

    Tests also end up in the app next to vaccinations. Official rapid tests are 10 euro and available at almost every pharmacy. The Cyprus app works in Greece, no need to localize. In Spain, at least in early December, there were no scans.

    So the whole process works fairly well except for occasional protests by brexiteers. I do wish there was more science on if it was all actually helping; Cyprus is getting hit fairly hard by omnicron but is also the global testing leader per capita (140 per thousand, vs 5 in the US), so it's hard to tell if it's actually getting hit hard or if it's just the only country that actually knows how bad things are.

  10. jack says:

    As a non-American, what's to prevent you, as patron, deciding to refusing DNA Lounge entry to anyone not willing to provide a digital pass?

  11. Matt Lee says:

    Starting tomorrow in Boston they’re supposed to start checking the cards or the QR codes at bars, movie theaters and most indoor things. I’ll be curious to see how it works out in practice.

    I’m mostly looking forward to finding places that do check. One place in Cambridge has been doing something similar to what you’ve been doing at DNA and it was easy and quick, an extra 10 seconds over checking ID.

  12. Jason says:

    Sigh. I got my first round at a state run clinic operated by our local Hospital (which is also the ONLY hospital in our county.) Even though my paper card lists the hospital as provider the hospital didn't list it in my digital record. They actually requested that I manually enter my own information and upload a photo of the card as proof so they could add it.

    Even though I did that back in October it still shows me as "No Vaccine Received" but with a note that I've submitted information and it's waiting to be reviewed when I just went to try and add my booster (which I got a pharmacy because the mass clinics didn't come back for boosters here.) And since my info is in this waiting to be reviewed limbo - there's no option to update with booster info.

    Though since neither my state, nor the hospital, nor the pharmacy where I got my booster participate in SMART - it doesn't really matter anyway.

    My daughter's record (same Epic based system since it's the same hospital/providers) doesn't even have the "COVID" section mine does even though she's had several tests done now (all negative thankfully) due to contacts at school and a case of Rhinovirus (which normally they wouldn't have even bothered to test for but after her first negative covid test they decided they may as well get a much info as possible out of the second swabbing they ordered to make sure it really wasn't covid.)

    So...my POV is a bit biased and I know my state is particularly backwards on this kind of stuff and I'm in a particularly backwards corner of it. But...I find it hard to believe that a system that has only be adopted by 13 states is covering 60% of the population. And even 60% doesn't really feel like a "national system" to me. I do see that there are also a lot of individual hospitals/providers participating in SMART - but I still find it extra hard to believe that 80% of those who are vaccinated are eligible to take advantage of it.

    • CodeStranger says:

      Well, 13 states isn't so hard to believe, I think. If I look at the top 5 most populous states, they account for ~123 million people.

    • Ben says:

      > I find it hard to believe that a system that has only be adopted by 13 states is covering 60% of the population.

      This is part of why national politics are so fucked up, people have no intuitive sense for how insane it is to give North Dakota two senators and a representative despite being smaller than San Francisco.

      • Jason says:

        Well aware of that. And fully expected some pushback. With NY and CA both included I know that makes for a large chunk of population - though still "only" ~60 million so about 6% of the country. I was going to check actual numbers but didn't find the actual list of the 13 states until now. Also - apparently one of the 13 states is actually a territory (Puerto Rico)

        I checked populations on Wolfram Alpha and got:
        CA 39.58 million
        NY 20.22 million
        CO 5.782 million
        CT 3.608 million
        HI 1.46 million
        IL 12.82 million
        LA 4.661 million
        NJ 9.294 million
        PR 2.86 million
        RI 1.098 million
        UT 3.275 million
        VA 8.655 million
        WA 7.716 million

        Which comes to a total of 121.029 million residents in those 13 "states"

        With the US population listed as 331 million...that's more like 36% of the US covered at the state level instead of 60%.

        So the hospital networks and pharmacies are doing almost as much (more if you consider the 80% tossed out in the article) than state level participation.

        I'm all for the system...but I still say it's a stretch to call it "nationwide" at this point.

        • jwz says:

          If the participation of various corporate health networks means that 80% of the population has access, who gives a shit how we got there?

          What point are you trying to make here? Is it that someone is lying and you can't prove it? Or is it that you think that some of these peoples' QR codes "don't count" because they got them from their HMO instead of the state?

          • Jason says:

            I'm frustrated that I can't take part in the system. The nationwide pharmacy I used for my booster doesn't participate, the only health network available to me where I live doesn't participate, and my state doesn't participate.

            I'm all for the system and want to see it FAR more widely adopted.

            I don't care if the QR comes from a HMO, Pharmacy, or state - I want to see it adopted and actually available. I think the 80% claim is way optimistic and am worried that claims like that will make it less likely that more will sign on since "Oh, 80% are already covered why should we make the effort it's already covered"

            • jwz says:

              Well when the people running the program say "about 80% are covered" and you say "but I'm not part of that 80% so I don't believe them", you're very firmly into "cool story, bro" territory.

              Obviously we all want more coverage, but you calling them liars with nothing to back it up is not super productive.

  13. The thing is, the promise at the link in OP is basically bullshit if you live out in the ungovernable tribal regions.

    It looks like, right now, if you have a Smart Health code it was gotten because you live in a State that has signed on. If you live elsewhere, and try to find a private issuer, you encounter... emptiness. Nothing. A vacant lot at the address where you expected to find help. Even if the health care org that injected you with the vaccine has signed on as a Smart Health Card issuer, good fucking luck locating the person at that organization who has any idea what you're even talking about when you ask how to get your Smart Health Card.

  14. It's been super-handy to have this in my phone's wallet--I quickly lost track of my paper card, and it's a pain to look for the image of the card in my photo album. However, (a) I've never had anyone take the extra step of verifying the code, and (b) my booster doesn't appear on it for some reason.

    • Dude says:

      You have to uninstall-and-redownload it for the booster to show up.

    • Nik says:

      Ok, I'm way off-topic (thanks beer!) but extending my t-shirt suggestion I would love to have a stack of DNA business cards suggesting the recipient "get some FUCKING PRIORITIES"

      Seems like a sentiment that will be relevant even if we ever get to April 2020.

    • Nate says:

      For the photo of the QR code, you can swipe up on the photo in iOS Photos and type in something like "vaccine vaccination virus pass" as the title. This makes it easily searchable. Or just download the Wallet version, which I find easier to use.

  15. Vincent Janelle says:

    In BC, Canada, we have QR codes. The screenshot you are encouraged to capture and shot says your name, your birthdate, and a QR code. You don't have to capture that version though, you can have one that just has a QR code and says "vaccinated".

    Everyone looks at that, asks for your ID, and goes "yup, you have a screenshot of a QR code with your name on it." Except for me, which doesn't say my name on it. And then they wave me through.

    Large chain restaurants will actually check it though, and IIRC so will movie theaters.

  16. The death count for COVID will reach a million soon. Today it is just 146,660 short of a million.

  17. Dude says:

    He speaks for all of us:

  18. Meanwhile, in England, the Government has abolished Covid-19 so we won't need a digital vaccine card any more.

  19. Jay Carlson says:

    It's not precisely the most privacy-preserving technology. The important thing is that I've had three shots; you don't need to know my name, or anything beyond, say, hand geometry at most.

    The most obvious tool in the crypto box for this is Direct Anonymous Attestation which has a number of interesting features which can actually be used for Good for once.

    • jwz says:

      The only way we have of verifying that those are actually your shots is by comparing your cryptographically-signed name to the one on your driver's license, a physical object you must be in possession of which has actual security features making it difficult to forge.

      • Jay Carlson says:

        Biometric enrollment during download, or before or on first use seems close enough. That is, assuming we already have ways to dissuade multiple-vax stooges from selling proof of a multiple-month course of treatment they got the hard way. I mean — it's public health, you don't need to outrun the bear.

        I suspect that you could build a system that allowed biometric self-updates every n days, but that's going to involve the readers being sporadically online. Existing readers have to be anyway, to deal with revocation. Say, I wonder what's going to happen with the existing fraud cases....

        The thing I don't like about this is that it makes a smartphone the price of privacy.

        • jwz says:

          Dude, nobody gives a shit about your hypothetical thing that maybe could have been built. It was not. You didn't build it and neither did anybody else. Therefore it is not available for us to use. Fuck off and go bikeshed somewhere else. The rest of us are trying to use the tools available to stay alive.

          • jwz says:

            I still don't give a shit. Go workshop your next-gen whatever somewhere else. Meanwhile, use what is available to keep people fucking alive.

  • Previously